Legal

Privacy Policy

Last updated: 3 July 2026

This privacy notice for Datalaw Ltd ("we", "us", or "our") explains how and why we collect, use, store, share and otherwise process your personal information when you interact with our services.

It applies when you:

  • visit our website at https://lawapprenticeships.co.uk or any other website we operate that links to this notice;
  • register for, purchase, or use any of our continuing professional development (CPD), legal training, accreditation, or apprenticeship services;
  • are an apprentice or learner enrolled on a programme delivered by Datalaw under a contract with the Department for Education (DfE), an awarding body, or an end-point assessment organisation;
  • attend our live online training, workshops, or induction sessions;
  • or engage with us in any other way, including through marketing, events, or correspondence.

This notice is governed by the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Data (Use and Access) Act 2025 (DUAA), as well as the Privacy and Electronic Communications Regulations 2003 (PECR) where relevant.

Note: since 31 March 2025 the Department for Education (DfE) has taken over the functions of the former Education and Skills Funding Agency (ESFA). References in this notice to the DfE include those former ESFA functions.

If you have questions or want to exercise any of your rights, you can contact our Data Protection Officer at dpo@datalaw.org. Full contact details are at the end of this notice.

Summary of key points

  • What personal information do we process? Account, contact, billing, professional, learning, and limited sensitive data when you register, learn, purchase, or correspond with us. See Section 1.
  • Do we process any sensitive personal information? Yes – limited categories, with your explicit consent or under a specific UK GDPR Article 9 condition. See Section 1.
  • Do we record training sessions? Yes. We record our live apprenticeship training, workshops and induction sessions, which capture participants' image, voice and contributions; we rely on our legitimate interests to do this, not on your consent. We also record the live webinars we run for our courses, but published recordings capture only the presenter. See Section 4.
  • Do we use AI? Yes – clearly labelled AI assistants and AI-supported reporting tools. We explain providers, training-data position, automated decision-making, and human review in Section 7.
  • Do we share your information? Only with named categories of recipients – sub-processors, regulators, and education partners – under written agreements. See Section 5.
  • How long do we keep it? Only for as long as necessary, with documented retention periods. See Section 9.
  • What are your rights? UK GDPR rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Plus the new right under DUAA 2025 to complain directly to us before going to the Information Commissioner. See Section 12.

1. What information do we collect?

Personal information you provide to us

In short: We collect personal information you give us when you register, learn, purchase, or contact us.

Depending on how you interact with us, this may include:

  • Identity and contact data – name, job title, employer, work address, email address, phone number;
  • Account data – username, password (hashed), contact preferences;
  • Billing data – billing address, invoice details, VAT number where applicable;
  • Learning data – courses purchased, course progress, assessment results, certificates issued, attendance records, CPD logs, and session recordings (image, voice, and contributions from live online sessions – see Section 4);
  • Apprenticeship data – Unique Learner Number (ULN), date of birth, prior qualifications, employer details, off-the-job training records, end-point assessment data, DfE-required information;
  • Communications – emails, support tickets, feedback, survey responses;
  • Payment data – payment instrument number and security code where you pay by card, and bank account details where you pay for a subscription by Direct Debit. Card payments are handled by Stripe and Direct Debit payments by GoCardless; neither your card number nor your bank details are stored on our systems. See stripe.com/gb/privacy and gocardless.com/privacy.

Sensitive personal information

We process special category data and other sensitive data only where strictly necessary, on a documented Article 9 UK GDPR condition (and where applicable a Schedule 1 DPA 2018 condition). The categories we may process are:

  • Information revealing racial or ethnic origin – collected solely for equal-opportunities monitoring on apprenticeship and accreditation programmes; lawful basis Article 9(2)(g) UK GDPR / DPA 2018 Schedule 1 Part 2 paragraph 8 (equality of opportunity or treatment);
  • Health information – only where you tell us about a reasonable adjustment requirement for an examination, live session or assessment; Article 9(2)(b) employment, social security and social protection law, or 9(2)(h) provision of social care, as applicable;
  • National Insurance number – for apprenticeship learners only, required by the DfE and the awarding body; lawful basis Article 6(1)(c) legal obligation.

We do not process special category data for marketing purposes or to make automated decisions about you.

Information collected automatically

In short: We automatically collect technical and usage information when you visit our services.

This information does not on its own reveal your identity, but may include your device and usage data such as IP address, browser characteristics, operating system, language settings, referring URLs, country, region, page views and interactions. We collect it to help keep our services secure, prevent abuse, and support internal analytics. See our Cookie Policy for the specific tools and cookies we use.

Information from third parties

We may receive information about you from awarding bodies, employers, the DfE and the Education Regulator, referring public websites (LinkedIn, Google), employer-sponsored learner portals, and marketing partners, but only where you've agreed to that sharing or a lawful basis applies.

Google API

Where we use Google APIs, our use complies with the Google API Services User Data Policy, including the Limited Use requirements.

2. How do we process your information?

In short: We process your information to deliver, improve, secure, personalise and market our services, comply with legal obligations, and support your engagement with our team.

Specifically, we process your personal information to:

  • create and administer your account;
  • deliver the courses, accreditation, CPD, and apprenticeship programmes you enrol on;
  • process payments and refunds;
  • provide customer support and respond to your enquiries;
  • send you service messages – course updates, invoices, session reminders;
  • comply with statutory obligations (e.g. DfE reporting for apprenticeship learners);
  • prevent fraud, abuse and security incidents;
  • develop, test and improve our services, including AI-supported tools;
  • send you marketing information about our services where you have consented or where a soft opt-in applies;
  • comply with legal and regulatory requirements.

3. What legal bases do we rely on?

In short: We process your information on one or more of the lawful bases in Article 6 of UK GDPR, and where relevant a Schedule 1 DPA 2018 condition.

  • Consent (Article 6(1)(a)) – e.g. where you subscribe to a marketing list, opt into optional cookies, or provide explicit consent for sensitive processing.
  • Contract (Article 6(1)(b)) – to provide the services you have signed up to buy or attend, and to fulfil related obligations to you.
  • Legal obligation (Article 6(1)(c)) – to satisfy our regulatory, tax, apprenticeship and safeguarding reporting duties.
  • Legitimate interests (Article 6(1)(f)) – for processing required to run, secure, monitor and improve our services and communicate with you about relevant training. We balance this against your rights and freedoms.
  • Vital interests (Article 6(1)(d)) – rarely, for example, to protect a learner's life in an emergency.

4. Recording of live training sessions

In short: We record live training sessions, workshops, and induction sessions, using our legitimate interests.

As part of our apprenticeship, accreditation and other online-delivered continued professional development (CPD) services, we record live training sessions and workshops. These recordings capture participants' image, voice and spoken contributions and are used for the purposes below.

Recordings are stored within platforms we operate (for example, our learning management system and our secure storage in the cloud, hosted in the UK or EU).

Why we do this. Our lawful basis is Article 6(1)(f) UK GDPR – our legitimate interests. Specifically, we rely on legitimate interests to:

  • deliver and enable independent (asynchronous) study for learners who cannot attend live sessions;
  • support learner and employer reviews of session content, learner progress and behaviour, including EPA-based scenarios, in line with DfE Off-the-Job (OTJ) requirements, prior warnings for our accreditation and end-point assessments;
  • reference material against which we assess authenticity, plagiarism, IT-safe and integrity concerns; and
  • inform disciplinary, safeguarding or complaint procedures.

How we handle recordings. Recordings are stored securely in access-controlled systems, provided access-based rights and permissions and are limited to authorised staff, the assigned assessor, apprentice, learner or employer sponsor of the recording. Access is only granted for the duration necessary for the stated purpose.

How long we keep recordings. We retain recordings only for as long as needed for the purposes above. For a live-training or induction recording, that is normally 12 months from the session date. For assessment-related recordings (formative or summative), we retain for the period stipulated by the awarding body or end-point assessment organisation.

Your rights. You have the right to object to processing under Article 6(1)(f). If you object, we will review your objection and stop the recording processing unless we can demonstrate compelling legitimate grounds that override your interests or the processing is necessary for the establishment, exercise or defence of legal claims. In practice, we will minimise the number of people identifiable in a recording by muting participants who prefer not to appear and offering a private review session.

5. When and with whom do we share your personal information?

In short: We only share your personal information with the following categories of recipients.

We share your personal information with the following categories:

Sub-processors and service providers

  • Cloud hosting and storage – Amazon Web Services (UK / EU regions), with a hosting site in the East of the UK;
  • Payment processing – Stripe, GoCardless;
  • Email delivery and marketing – Mailchimp, Resend;
  • CRM and analytics – HubSpot, Google Analytics 4;
  • Learning management system – Datalaw's proprietary LMS platform running on AWS UK / EU;
  • Videoconferencing – Zoom (used at UK/EU data centres), Google Workspace;
  • Support and communications – Google Workspace, Slack, LinkedIn ("Talent Solutions" only where the learner is a candidate for a role);
  • AI processing – see Section 7 for AI providers and processing conditions.

Education and apprenticeship partners

  • DfE (formerly ESFA), including through the Digital Apprenticeship Service (DAS) and the Individualised Learner Record (ILR);
  • Awarding bodies and end-point assessment organisations – e.g. City and Guilds, Pearson, CILEx, CLC, IAPP;
  • Apprenticeship levy-paying employers and their sub-contracted delivery partners;
  • Ofsted, HMRC and other regulators – where a statutory duty applies.

When we share for the DfE and awarding bodies. When you enrol on an apprenticeship, we are required by our contract with the DfE and the relevant awarding body to share your personal data for the delivery of the apprenticeship, reporting, funding, and end-point assessment purposes.

When we share with employers. Where you are an apprentice funded by an employer, we share progress reports, session attendance, off-the-job training records, review meeting notes, and end-point assessment outcomes with your employer and any nominated line manager.

Other recipients

  • Professional advisers (auditors, solicitors) under a duty of confidentiality;
  • Regulators or law enforcement, where required by law;
  • Successors in the event of a business sale, merger or restructuring – with appropriate safeguards;
  • Anyone else you direct us to share with (with your consent).

6. Cookies and other tracking technologies

In short: We use a small set of cookies and similar technologies for site operation, security, analytics, and marketing consent.

Our cookie banner offers granular control on optional cookies (analytics, targeting). Strictly necessary cookies are used to enable core functionality. You can change your preferences at any time via the "Cookie preferences" link in our footer, or by clearing your browser cookies. For the full list of the specific cookies we use, purposes and retention, see our Cookie Policy.

7. AI Products and automated processing

In short: We use AI to speed up specific tasks, always with human review of anything that materially affects you.

Where we use AI

  • At the frontend of the site, our chatbot AI ("Ask Us Anything") can answer common questions and route enquiries. It uses OpenAI GPT models under our commercial subscription and does not add your interactions to OpenAI's training corpus.
  • On the CPD and learning platform, we use AI-supported tools to summarise session recordings, generate practice questions, and support content moderation. Providers include OpenAI, Anthropic and Microsoft Azure OpenAI (UK/EU regions).
  • For internal reporting on learner progress and compliance, we use anonymised or pseudonymised data through in-house automated tools. Human staff review any output that would materially affect an individual (for example, a decision on progression, funding, or a complaint).

Why providers are

Our providers all publish DPAs and Standard Contractual Clauses (SCCs) with the UK Addendum. We ensure that no data with an EU or UK data subject is transferred outside the UK/EU for processing without those safeguards in place. Where a provider has multiple regions, we select UK or EU regions by default.

Training-data position

We take reasonable technical and organisational measures to ensure that any prompts, transcripts, or attachments you send through our AI tools are not used by the provider to train their models. This is contractually confirmed with our providers, or via the "no-training" API option where available.

Automated decision-making (Article 22 UK GDPR)

We do not make any decision that produces legal effects concerning you, or similarly significantly affects you, based solely on automated processing – including profiling. Where any assessment, ranking, or reporting tool influences a decision, a member of our team reviews the output before we act on it.

EU AI Act transparency

Where the EU AI Act applies (for example, apprentices resident in the EU) we treat all AI systems as high-risk or limited-risk according to their function, and we document our AI system inventory, risk classification, and human oversight measures. You can request a copy of our AI system register.

8. International data transfers

Where personal data leaves the UK, we rely on adequacy regulations (currently for EU / EEA countries) or, if adequacy is not available, on a UK GDPR Article 46 transfer mechanism (usually the ICO International Data Transfer Agreement, or the UK Addendum to the EU SCCs), with a documented transfer impact assessment.

For our sub-processors, cross-border transfers are typically limited to:

  • the US (with the UK Extension to the EU–US Data Privacy Framework as the primary adequacy route, or SCCs as a backup);
  • the EU (adequacy);
  • Ireland, Belgium and Germany (adequacy).

9. How long do we keep your information?

In short: Only as long as needed for the purpose we collected it.

Indicative retention periods:

  • Account and billing data – for the life of your account, plus six years from your last activity for tax and contract purposes.
  • Apprenticeship data – for the duration of the programme, plus the period required by the DfE (currently minimum six years from the end of the programme, longer for some awarding bodies and safeguarding categories).
  • Live training session recordings – see Section 4.
  • Marketing data – until you withdraw consent or unsubscribe, plus a short suppression retention (usually 24 months).
  • CPD certificates and course completion records – 8 years from issue.
  • Support tickets and complaint records – 6 years from resolution.
  • Financial records – 6 years from year end.
  • Card details – handled by Stripe, not stored on our systems.
  • Marketing preferences – until you change or withdraw them, plus a technical audit trail.

When the retention period expires, we delete or anonymise your personal data, unless it is subject to a legal hold (for example, an ongoing complaint, audit, or investigation).

10. How we keep your information safe

We use industry-standard technical and organisational measures appropriate to the risk of the processing. These include:

  • encryption in transit (TLS 1.2+) and at rest (AES-256);
  • multi-factor authentication on all admin accounts;
  • role-based access control with the principle of least privilege;
  • logging, monitoring and alerting on our production systems;
  • annual penetration testing on our public-facing services;
  • structured onboarding and offboarding processes for staff, with cyber-security training;
  • an incident response process aligned with the ICO's guidance.

We have not experienced a personal data breach that has met the threshold for notification to the ICO in the past 24 months. Where a breach does occur, we will notify the ICO within 72 hours, and affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

11. Children, young people and apprentices

In short: We do not knowingly process the personal data of children under 13, and we take extra care where an apprenticeship learner is aged 16–18.

Where a learner is under 18 at the start of their apprenticeship programme, we operate our safeguarding policy, which includes:

  • consent from parent or guardian for image and voice recording (where practicable), or the safeguarding lead for looked-after learners;
  • age-appropriate content standards for live sessions, marketing and self-directed learning;
  • staff DBS checks for anyone in a substantive one-to-one contact role.

If you are a parent or guardian and have any concerns about how we handle a young apprentice's data, please contact our DPO at dpo@datalaw.org.

12. Your privacy rights

In short: UK GDPR gives you rights over your personal information, plus a new right under the Data (Use and Access) Act 2025 to complain to us before going to the ICO.

Subject to some conditions, you have the right to:

  • ask us for a copy of the personal data we hold about you (a Subject Access Request);
  • ask us to correct inaccurate or incomplete data;
  • ask us to erase your data ("right to be forgotten");
  • ask us to restrict processing where you dispute accuracy or the lawful basis;
  • receive a copy of your data in a portable format (data portability);
  • object to processing based on our legitimate interests, including marketing;
  • withdraw consent at any time for consent-based processing;
  • object to solely automated decisions with legal or similarly significant effects.

How to exercise your rights. Send a written request to our DPO at dpo@datalaw.org, or use the address at the end of this notice. We will respond within one calendar month (occasionally extended by two months for complex requests, with notice).

Right to complain to the regulator

If you're unhappy with how we've handled your data, you have the right to complain to the Information Commissioner's Office (ICO). Under the DUAA 2025 you must first give us the opportunity to resolve the complaint. We commit to responding to any complaint within 30 days.

13. Data breaches

Where we suffer a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) within 72 hours and (where the risk is high) affected individuals without undue delay.

14. Updates to this notice

We will update this notice when our processing, tools, or the law changes. The "Last updated" date at the top will reflect that. Where an update materially changes your rights or how we use your data, we will notify you actively (email, in-service banner, or both).

15. How to contact us

If you have questions about this notice, you can contact us:

  • Post: Datalaw Ltd, Bassett House, 1 Salford Quays, Manchester M5 3EN, United Kingdom
  • Email: info@datalaw.org
  • Phone: 0151 236 2024

16. How to make a subject access or other rights request

To request access to, correction of, or deletion of your personal information, email our DPO at dpo@datalaw.org. Please include enough information to verify your identity and describe the request.

  • We will respond within one calendar month.
  • We will provide the data or explain why we cannot, and if we cannot, we will tell you what your options are.
  • Standard requests are free. For manifestly unfounded or excessive requests we may charge a reasonable fee or refuse the request, with reasons.